HIPAA, HITECH & HIThttp://hipaahealthlaw.foxrothschild.com
Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health RecordsFri, 31 Jul 2015 19:21:06 +0000en-UShourly1http://wordpress.org/?v=4.1.5Subscribe with My Yahoo!Subscribe with NewsGatorSubscribe with My AOLSubscribe with BloglinesSubscribe with NetvibesSubscribe with GoogleSubscribe with PageflakesDumpster Diving for PHI Exposes Business Associate (and Physician Practice) to Liabilityhttp://feeds.lexblog.com/~r/HipaaHealthLaw/~3/SYJsvxD594s/
http://hipaahealthlaw.foxrothschild.com/2015/07/articles/uncategorized/dumpster-diving-for-phi-exposes-business-associate-and-physician-practice-to-liability/#commentsFri, 31 Jul 2015 19:16:38 +0000http://hipaahealthlaw.foxrothschild.com/?p=1981Continue Reading]]>A Chicago record storage and disposal company has been named in a complaint filed by the Illinois Attorney General as a result of the negligent disposal of a medical practice’s patient records in an unlocked dumpster. The complaint alleges that FileFax, Inc. violated the Illinois Consumer Fraud and Deceptive Business Practices Act by failing to handle the records entrusted to it for secure disposal by the practice, Suburban Lung Associates, as required by the Illinois Personal Information Protection Act as well as HIPAA.

Not only did FileFax allegedly discard the records in its unlocked dumpster adjacent to its place of business, but more incredibly, a FileFax employee permitted another individual to remove 1,100 pounds of records and take them to another facility for recycling. The recycler, Shred Spot, recognized the documents as protected health records and refused to recycle them. After consulting his trade association, the National Association for Information Destruction, Shred Spot owner Paul Kaufmann contacted the office of Attorney General Lisa Madigan, according to the Chicago Tribune.

Adding to the perfect storm, shortly after the records were delivered to Shred Spot, Dave Savini, an investigative reporter for CBS Chicago, took a film crew to the dumpster outside of the FileFax facility which remained full of Suburban Lung’s records and remained unlocked, accessible by the general public. He noted:

“It is an identity thief’s dream, and a nightmare for patients. Medical files, tossed in the trash, contain personal information including drivers’ licenses, Social Security numbers and even medical histories.”

Watch his report here:
Illinois Attorney General agents and representatives of the Department of Health and Human Services then conducted a site visit of the Shred Spot facility, and documented the return of the records to the practice.

FileFax faces civil penalties and injunctive relief under the AG’s suit including a $50,000 fine for violation of the Consumer Fraud Act and an additional $10,000 for each violation that involved a senior citizen, plus costs of investigation and prosecution, along with another civil penalty of $50,000 for improperly disposing of sensitive personal information and protected health information under the state’s Personal Information Protection Act. At this point it is not clear what additional sanctions may be sought by HHS under HIPAA. Further, Suburban Lung Associates may face vicarious liability for the negligence of its business associate, FileFax.

“Reporters love to dumpster dive. It’s more sexy [than some other HIPAA violations],” says Kline. “It’s a horror show for the covered entity. And if there’s no business associate agreement, it’s even worse,” he adds.

In the interview, they emphasized the need to treat record storage and disposal companies as seriously as other third-party contractors handling patient-related items, to verify a vendor’s HIPAA compliance efforts before engaging them and to continue monitoring their compliance.

“Consider medical information as other waste, as if it’s toxic. If it’s not disposed of properly, there could be liability,” says Litten.

Further, a covered entity’s business associate agreement is its best defense when a business associate drops the ball. “You need to know that the business associate knows and complies with HIPAA and state law,” says Litten.

In addition, business associates should be required to covered entities within a few days of discovering a breach, and should be required to pay for any costs incurred by the covered entity they have caused, including credit monitoring.

]]>

http://hipaahealthlaw.foxrothschild.com/2015/07/articles/uncategorized/dumpster-diving-for-phi-exposes-business-associate-and-physician-practice-to-liability/feed/0http://hipaahealthlaw.foxrothschild.com/2015/07/articles/uncategorized/dumpster-diving-for-phi-exposes-business-associate-and-physician-practice-to-liability/HIPAA-Type Protections Are Not Just For Humans – When It Comes To Medical Records, Animals Have Privacy Rights, Too (Part 1)http://feeds.lexblog.com/~r/HipaaHealthLaw/~3/IyH1Z4DXJ_s/
http://hipaahealthlaw.foxrothschild.com/2015/07/articles/privacy/hipaa-type-protections-are-not-just-for-humans-when-it-comes-to-medical-records-animals-have-privacy-rights-too-part-1/#commentsMon, 27 Jul 2015 19:04:35 +0000http://hipaahealthlaw.foxrothschild.com/?p=1972Continue Reading]]>Co-authored by Nancy Halpern, DVM, Esq.; also posted on Animal Law Update

HIPAA does not protect animals’ health information – it applies to the protected health information (or PHI) of an “individual”, defined as “the person who is the subject of” the PHI. However, state laws governing the confidentiality of health information also come into play and, in some cases, expand upon HIPAA’s privacy protections.

Leo Litten

Physicians, for example, must abide by state law and licensing board requirements specific to medical record maintenance and confidentiality. In most states, veterinarians, like physicians, are required by law to keep the medical records of their patients confidential, unless their client — the patient’s owner — authorizes the release of the medical records, or the records are requested by the State Board of Veterinary Medical Examiners or as ordered by a court.

This requirement was affirmed in several legalopinions recently issued by the Texas Attorney General in response to letters sent from the Office of General Counsel of The Texas A&M University asking “whether certain information is subject to required public disclosure under the Public Information Act (the “Act”), chapter 552 of the [Texas] Government Code.” Texas A&M had received at least 48 requests “for information pertaining to specified dogs and any specified protocols pertaining to the dogs at issue during a specified time period.”

The requests for information came from individuals claiming to have “virtually adopted” the dogs in question, as reported by expressnews.com.

The Beagle Freedom Project, whose mission is to “rescue beagles used in animal experimentation in research laboratories,” encourages people to adopt research animals virtually, even though those animals are actually already owned by various research institutions and universities across the country.

The “adopters” then demand the medical records of their “adopted” animals in letters citing the state’s open public records act which sets forth requirements of various state agencies to provide requested information within a prescribed period of time.

Texas A&M has refused to provide that information, based on the opinion of the state Attorney General citing the restrictions in the Texas Veterinary Practice Act, which requires a veterinarian to maintain medical records confidentially and provides that the veterinarian can only release those records upon receipt of:

(1) a written authorization or other form of waiver executed by the client; or

Joseph Larsen, a Houston­-based open records lawyer, said if Texas A&M owns the animals, the chapter cited in the attorney general’s opinion that grants veterinarian­-client confidentiality should not apply because the veterinarians are working for the university. He said the law applies only to veterinarians who see animals that are owned by someone else.

However, nothing in the Texas Veterinary Practice Act provides such an exception.

To Be Continued…

]]>http://hipaahealthlaw.foxrothschild.com/2015/07/articles/privacy/hipaa-type-protections-are-not-just-for-humans-when-it-comes-to-medical-records-animals-have-privacy-rights-too-part-1/feed/0http://hipaahealthlaw.foxrothschild.com/2015/07/articles/privacy/hipaa-type-protections-are-not-just-for-humans-when-it-comes-to-medical-records-animals-have-privacy-rights-too-part-1/Athletes Do Not Leave Their HIPAA Rights At The Locker Room Doorhttp://feeds.lexblog.com/~r/HipaaHealthLaw/~3/-TkwI-F2wd4/
http://hipaahealthlaw.foxrothschild.com/2015/07/articles/privacy/athletes-do-not-leave-their-hipaa-rights-at-the-locker-room-door/#commentsTue, 21 Jul 2015 21:51:28 +0000http://hipaahealthlaw.foxrothschild.com/?p=1968Continue Reading]]>HIPAA has made an unlikely appearance twice already this month in news reports involving famous athletes.

Between the Pierre-Paul medical record tweet by ESPN reporter Adam Schefter earlier this month (discussed by my partner and fellow blogger Bill Maruca here) and the ticker-tape parade featuring confetti made of shredded (but apparently legible) medical information raining down on U.S. Women’s soccer team in New York City (reported by WFMY news here), it seems HIPAA breaches and athletes have had an uncanny affinity for one another this summer, particularly in New York City.

Setting the attenuated coincidence of these events aside, the Pierre-Paul incident provides an opportunity to review when medical information that relates to one’s employment is protected under HIPAA and when it isn’t.

In 2002, the U.S. Department of Health and Human Services (HHS), the agency responsible for enforcing HIPAA, considered a comment to a proposed HIPAA regulation suggesting that “health information related to professional athletes should qualify as an employment record,” and, thus, not be considered protected health information under HIPAA. HHS was quite clear in responding that a professional athlete has the same HIPAA rights as any other individual:

If this comment is suggesting that the records of professional athletes should be deemed “employment records” even when created or maintained by health care providers and health plan, the Department disagrees. No class of individuals should be singled out for reduced privacy.

HHS refused to provide a definition of “employment record”, fearing that it might “lead to the misconception that certain types of information are never protected health information, and will put the focus incorrectly on the nature of the information rather than the reasons for which” the information was obtained.

HHS went on to explain how and when protected health information might become “employment record” information:

For example, drug screening test results will be protected health information when the provider administers the test to the employee, but will not be protected health information when, pursuant to the employee’s authorization, the test results are provided to the … employer and placed in the employee’s employment record.

HHS further clarified that:

… medical information needed for an employer to carry out its obligations under FMLA, ADA, and similar laws, as well as files or records related to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty tests of employees, may be part of the employment records maintained by … an employer.

Going back to Pierre-Paul, the mere fact that his injury could affect his ability to perform as a professional athlete did not automatically turn the protected health information related to the injury (the medical record created by the hospital) into “employment records” exempt from HIPAA protection. It isn’t unless and until protected health information is disclosed to the employer pursuant to the individual’s authorization that it becomes an “employment record” no longer subject to HIPAA. Even if an individual’s disclosure of medical records is a condition of employment (apparently not the case in Pierre-Paul’s situation), it is the individual’s authorization that allows its disclosure, not the category or class of the individual.

]]>http://hipaahealthlaw.foxrothschild.com/2015/07/articles/privacy/athletes-do-not-leave-their-hipaa-rights-at-the-locker-room-door/feed/0http://hipaahealthlaw.foxrothschild.com/2015/07/articles/privacy/athletes-do-not-leave-their-hipaa-rights-at-the-locker-room-door/Fireworks over ESPN’s tweet of NFL player’s medical recordshttp://feeds.lexblog.com/~r/HipaaHealthLaw/~3/B9EH98Wtrtk/
http://hipaahealthlaw.foxrothschild.com/2015/07/articles/privacy/fireworks-over-espns-tweet-of-nfl-players-medical-records/#commentsFri, 10 Jul 2015 19:30:46 +0000http://hipaahealthlaw.foxrothschild.com/?p=1952Continue Reading]]>New York Giants’ defensive end Jason Pierre-Paul suffered hand injuries while handling fireworks on July 4. A screenshot of a page from his hospital records was tweeted by ESPN reporter Adam Schefter on July 8, resulting in a flurry of speculation over whether the disclosure may have violated HIPAA or other privacy laws. In an article by Zosha Millman published today by LXBN, the Lexblog Network, our partners and frequent blog contributors Michael Kline and Elizabeth Litten are quoted extensively about the implications of the publication of these records by a media outlet, the health privacy rights of public figures and the effect, if any, of the NFL’s collective bargaining agreement on such disclosures. The article is here: Did That ESPN Reporter’s Tweet Violate HIPAA?

A critical question is how the ESPN reporter obtained the records, from whom and under what circumstances. Although HIPAA does not directly regulate parties other than Covered Entities and their Business Associates, the law provides for criminal penalties for unauthorized use or disclosure of individually identifiable health information with the intent to sell, transfer, or use such information for commercial advantage, personal gain or malicious harm, including fines of up to $250,000, and imprisonment for up to ten years. The Department of Justice has stated that “the liability of persons for conduct that may not be prosecuted directly under section 1320d-6 will be determined by principles of aiding and abetting liability and of conspiracy liability.”

Illicitly obtained medical records should be contrasted with health information that is released voluntarily by the individual patient. For instance, in the Ebola infection incidents of October 2014, it appears that some information reported in the media may have been voluntarily disclosed by the affected individuals or their families. Nevertheless, famous individuals, whether their fame arises out of their health condition or because of their prominence as athletes, entertainers or politicians, have the same health privacy rights as others and those rights should be safeguarded by covered entities and their business associates.

]]>http://hipaahealthlaw.foxrothschild.com/2015/07/articles/privacy/fireworks-over-espns-tweet-of-nfl-players-medical-records/feed/0http://hipaahealthlaw.foxrothschild.com/2015/07/articles/privacy/fireworks-over-espns-tweet-of-nfl-players-medical-records/Expert Interview with William Maruca About Protecting Medical Recordshttp://feeds.lexblog.com/~r/HipaaHealthLaw/~3/6VWH4WeO-U4/
http://hipaahealthlaw.foxrothschild.com/2015/07/articles/privacy/expert-interview-with-william-maruca-about-protecting-medical-records/#commentsSun, 05 Jul 2015 20:06:36 +0000http://hipaahealthlaw.foxrothschild.com/?p=1946Continue Reading]]>Our partner Bill Maruca, who is the Editor and a frequent contributor to this blog, was recently interviewed by PracticeSuite as part of their Expert Interview program. In the course of his interview, Bill discusses patient confidentiality, keeping records safe and private, and trends in the medical billing industry.

One important recommendation by Bill is taken from his earlier post on this blog: encrypt all electronic protected health information (ePHI), especially when transferring it via email, cloud storage or FTP sites or saving it to mobile devices. The loss of properly-encrypted PHI may not be a HIPAA breach even if a device is lost or stolen, or an email or electronic file is sent to the wrong recipient.

]]>http://hipaahealthlaw.foxrothschild.com/2015/07/articles/privacy/expert-interview-with-william-maruca-about-protecting-medical-records/feed/0http://hipaahealthlaw.foxrothschild.com/2015/07/articles/privacy/expert-interview-with-william-maruca-about-protecting-medical-records/The Jiggery-Pokery of HIPAA Hackshttp://feeds.lexblog.com/~r/HipaaHealthLaw/~3/wESoefA67G8/
http://hipaahealthlaw.foxrothschild.com/2015/06/articles/privacy/the-jiggery-pokery-of-hipaa-hacks/#commentsMon, 29 Jun 2015 21:11:25 +0000http://hipaahealthlaw.foxrothschild.com/?p=1940Continue Reading]]>I must thank Justice Scalia for injecting this delightfully descriptive term into the realm of health care. Justice Scalia’s scathing dissent from the majority in the recent Supreme Court decision interpreting the Patient Protection and Affordable Care Act is rife with memorable expressions, but this is my favorite.

It’s not a term I’ve ever used before, but this old-fashioned, Dickensian-sounding term somehow practically begs for use in the context of a very modern and increasingly common context: the HIPAA hacking incident. A recent article in Becker’s Hospital Review lists the “50 biggest data breaches in healthcare” and the most common breach causes are far-and-away hacking and theft. Notably, hacking incidents result in the highest number of affected individuals. Here is the break-down:

In short, it seems that jiggery-pokery is involved far more often than mere carelessness when it comes to HIPAA breaches. Covered entities and business associates should be alert to dishonest or suspicious activity generally, including from within, but should be especially alert when that activity involves the systems or equipment on which protected health information is created, received, maintained, or transmitted.

With data breaches being the quickly trending “flavor of the month” criminal activity, it’s no shock that on June 4, 2015 yet another system was hit. This time though, it may be one of the largest cyberattacks in U.S. history—compromising as many as 4 million current and former federal employees’ information. The U.S. Office of Personnel Management (OPM) handles security clearances and background checks and although many would assume that its security is top-notch, the facts on the ground reveal that every place taking in sensitive information—including the government—must update its privacy infrastructure.

In his press statement on Thursday, Rep. Adam Schiff, the ranking member of the House Permanent Select Committee on Intelligence echoed that sentiment and stated that “Americans may expect that federal computer networks are maintained with state of the art defenses [but] it’s clear a substantial improvement in our cyber-databases defenses is perilously overdue. This does not only apply to systems of this magnitude.

Any business that maintains data bases with private information must invest in the proper privacy infrastructure necessary to protect that information. Cyberattacks do not discriminate. From major retailers to well-respected state universities, data breaches run the gamut and from the looks of Thursday’s attack, they are getting more sophisticated. OPM is now working closely with the FBI and the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team to attempt to identify the extent of the harm on federal personnel. But not everyone has the luxury of the entire U.S. government as a “crisis manager” so preventive measures for businesses will make a difference.

At this time, one of the most troubling facts of cyberattacks is that the source is difficult to locate. Sen. Susan Collins, a member of the Senate Intelligence Committee, said the hack was “extremely sophisticated,” and “that points to a nation state” as the responsible party, likely China. No conclusive source has been discovered yet but the lesson here is clear—with private information being involved in almost every aspect of business, measures must be taken to protect it.

]]>http://hipaahealthlaw.foxrothschild.com/2015/06/articles/uncategorized/even-the-federal-government-cant-hide-how-a-high-end-cyberattack-breached-one-of-the-most-protected-systems/feed/0http://hipaahealthlaw.foxrothschild.com/2015/06/articles/uncategorized/even-the-federal-government-cant-hide-how-a-high-end-cyberattack-breached-one-of-the-most-protected-systems/When Privacy Policies Should NOT Be Published – Two Easy Lessons From the FTC’s Nomi Technologies Casehttp://feeds.lexblog.com/~r/HipaaHealthLaw/~3/_U78NGPjji8/
http://hipaahealthlaw.foxrothschild.com/2015/05/articles/privacy/when-privacy-policies-should-not-be-published-two-easy-lessons-from-the-ftcs-nomi-technologies-case/#commentsTue, 26 May 2015 18:37:49 +0000http://hipaahealthlaw.foxrothschild.com/?p=1925Continue Reading]]>This case has nothing to do with HIPAA, but should be a warning to zealous covered entities and other types of business entities trying to give patients or consumers more information about data privacy than is required under applicable law. In short, giving individuals more information is not better, especially where the information might be construed as partially inaccurate or misleading.

The Federal Trade Commission (FTC) filed a complaint against Nomi Technologies, Inc., a retail tracking company that placed sensors in clients’ New York City-area retail stores to automatically collect certain data from consumers’ mobile devices as they passed by or entered the stores. Nomi’s business model was publicized in a July 2013 New York Timesarticle. The complaint alleged, among other things, that although Nomi’s published privacy policy stated that Nomi would “allow consumers to opt out of Nomi’s [data tracking] service on its website as well as at any retailer using Nomi’s technology,” Nomi actually only allowed consumers to opt-out on its website — no opt-out mechanism was available at the clients’ retail stores.

The FTC voted 3-2 to accept a consent order (published for public comment on May 1, 2015) from Nomi under which Nomi shall not:

[M]isrepresent in any manner, expressly or by implication: (A) the options through which, or the extent to which, consumers can exercise control over the collection, use, disclosure, or sharing of information collected from or about them or their computers or devices, or (B) the extent to which consumers will be provided notice about how data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared.”

The odd aspect of this complaint and consent order is that Nomi did not track or maintain information that would allow the individual consumers to be identified. The media access control (MAC) address broadcast by consumers’ mobile devices as they passed by or entered the stores was cryptographically “hashed” before it was collected, creating a unique identifier that allowed Nomi to track the device without tracking the consumer him/herself. As dissenting Commissioner Maureen Ohlhausen points out, Nomi, as “a third party contractor collecting no personally identifiable information, Nomi had no obligation to offer consumers an opt out.” The majority, however, focuses on the fact that the opt out was partially inaccurate, then leaps to the conclusion that the inaccuracy was deceptive under Section 5 of the FTC Act, without pausing to reflect on the fact that the privacy policy and opt out process may not have been required by law in the first place.

So while many HIPAA covered entities and other businesses may want to give consumers as much information as possible about data collection, the lesson here is twofold: first, make sure the notice is required under applicable law (and, if it’s not, be sure the benefits of notice outweigh potential risks); and, second, make sure the notice is 100% accurate to avoid FTC deceptive practices claims.

Two recently reported breaches of hospital data affecting thousands of patients highlight the prevalence, and apparent success, of phishing attacks. Boston-based Partners HealthCare notified approximately 3,300 patients after a group of staff members were tricked by a phishing scam, and Indiana-based St. Vincent Medical Group, a 20-hospital system that is part of Ascension Health, reported a breach affecting nearly 760 patients that resulted from a phishing attack that involved a single employee’s email account.

The Department of Health and Human Services (HHS), Office of the Chief Information Officer, published an “Information Systems Security Awareness Training” document for FY 2015 that is simple to follow, has easy and useful tips, and even includes enough pictures and graphic images to make what could be dull cybersecurity lessons visually stimulating (the kitten fishing photo comes from page 34).

The phishing-avoidance tips from HHS may seem obvious, but are worth regular review with covered entity and business associate staff that use company email accounts:

NEVER provide your password to anyone via email

* Be suspicious of any email that:

– Requests personal information.

– Contains spelling and grammatical errors.

– Asks you to click on a link.

– Is unexpected or from a company or organization with whom you do not have a relationship.

* If you are suspicious of an email:

— Do not click on the links provided in the email.

–Do not open any attachments in the email.

— Do not provide personal information or financial data.

— Do forward the email to the HHS Computer Security Incident Response Center (CSIRC) at csirc@hhs.gov and then delete it from your Inbox.

Although HHS’ CSIRC undoubtedly does not want a barrage of emails from non-government entity staff reporting potential phishing attacks, a covered entity or business associate should articulate a similar process for staff to follow when a suspicious email is identified.

Bill Maruca, a Fox Rothschild partner and editor of this blog, added the following tips for recognizing potential phishing emails:

* Be suspicious of any email that:

— Includes multiple other recipients in the “to” or “cc” fields.

— Displays a suspicious “from” address, such as a foreign URL for a U.S. company or a gmail or other “disposable” address for a business sender. However, even when the sender’s address looks legitimate, it can still be “spoofed” or falsified by a malicious sender.

Bill points out that he has noticed these indicators in phishing emails in the past, even those that otherwise looked like they came from official sources.

]]>http://hipaahealthlaw.foxrothschild.com/2015/05/articles/privacy/phishing-for-phi/feed/0http://hipaahealthlaw.foxrothschild.com/2015/05/articles/privacy/phishing-for-phi/Providers: Beware of HIPAA and Patient Privacy Rules During Employment Disputeshttp://feeds.lexblog.com/~r/HipaaHealthLaw/~3/8jHjDQHDWyU/
http://hipaahealthlaw.foxrothschild.com/2015/04/articles/privacy/providers-beware-of-hipaa-and-patient-privacy-rules-during-employment-disputes/#commentsWed, 29 Apr 2015 02:35:36 +0000http://hipaahealthlaw.foxrothschild.com/?p=1910Continue Reading]]>Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent article in Medical Practice Compliance Alert entitled “Beware of HIPAA, Patient Privacy During Practice Employment Disputes.” The full text can be found in the March 30, 2015 issue of Medical Practice Compliance Alert, but a synopsis is below.

The opinion in the case of Peace et al. v. Premier Primary Care Physicians S.C. et al. (the “Peace Case”) in the U.S. District Court for the Northern District of Illinois highlights how privacy rights do not give physician practices free rein to use patient information for their own purposes without potential serious legal fallout. In the Peace Case a physician practice group (the “Practice”) terminated two employees, citing, among other things, poor job performance and rude and unprofessional behavior to patients. The Practice then refused to reveal to the terminated employees the names of specific patients who had purportedly complained of such unprofessional behavior.

The District Judge sided with the former employees to some extent and ordered the Practice to provide contact information for a limited number of such patients, so that the terminated employees could contact and interview them as part of the discovery process in their employment lawsuit against the Practice. Elizabeth observed, “The physicians had enough information [to justify the termination] without putting patients in the middle. The [P]ractice put itself in a position to now have to turn over patient information and alienate patients.”

The Peace Case also demonstrates the confusion surrounding privacy rights, as the Practice may have violated HIPAA patient privacy requirements by having to disclose patient protected health information (“PHI”) without authorization. Unfortunately, Elizabeth suspects, the judge and attorneys in the Peace Case appeared not to have known much about HIPAA, so its applicability was not adequately addressed. I was quoted as adding the following to Elizabeth’s point:

It looks like the judge factored a remedy designed to pressure them [the Practice and the terminated employees] to settle. Even if the [former] employees were entitled to PHI in their employment suit, HIPAA likely was not followed. There was neither protective order [limiting the disclosure] nor [adherence to HIPAA’s] minimum necessary requirements. Either party would have helped their cases here by invoking HIPAA.

Practices should also take caution when using PHI and identities of patients to justify employment decisions. “The [P]ractice should have downplayed the role of patients,” Elizabeth advised.

In summary, in order for physicians to protect their practices, they must be certain that the practice and its legal counsel understand HIPAA obligations with respect to privacy and security in the context of employment disputes. The judge may need guidance in this area or even to be alerted that HIPAA may be an issue.